How to access your CD files The print edition of this book includes a CD. To access the CD files, go to http://aka.ms/625150/files, and look for the Downloads tab. Note: Use a desktop web browser, as files may not be accessible from all ereader devices. Questions? Please contact: mspinput@microsoft.com Microsoft Press
PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright 2008 by Stan Reimer and Mike Mulcare All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2008920569 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9 QWT 3 2 1 0 9 8 Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to rkinput@microsoft.com. Microsoft, Microsoft Press, Active Directory, ActiveX, Excel, Internet Explorer, Jscript, MS-DOS, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Visual Basic, Windows, Windows Live, Windows Media, Windows Mobile, Windows NT, Windows PowerShell, Windows Server, Windows Server System, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. This book expresses the author s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book. Acquisitions Editor: Martin DelRe Developmental Editor: Karen Szall Project Editor: Maureen Zimmerman Editorial Production: Custom Editorial Productions, Inc. Technical Reviewer: Bob Dean, Technical Review services provided by Content Master, a member of CM Group, Ltd. Cover: Tom Draper Design Body Part No. X14-14924
To the three wonderful women in my life Rhonda, Angela, and Amanda. Your love and encouragement keep me going. Stan Reimer I dedicate this book to the love of my life, Rhonda, and our precious sons, Brennan and Liam. Thank you for your continuous support and for being the reason that I do what I do. I also dedicate this book to the rest of my family, who are still trying to figure out what I actually do for a living. Conan Kezema To my family Nancy, James, Sean, and Patrick. Thanks always for your encouragement and support. Mike Mulcare Tracey, Samantha, and Michelle, you are the reason I keep it going. Darrin, thanks for holding down the fort. Byron Wright
Contents at a Glance Windows Server 2008 Active Directory Overview 1 What s New in Active Directory for Windows Server 2008............3 2 Active Directory Domain Services Components................... 19 3 Active Directory Domain Services and Domain Name System....... 63 4 Active Directory Domain Services Replication.................... 95 Part I Part II Designing and Implementing Windows Server 2008 Active Directory 5 Designing the Active Directory Domain Services Structure........ 143 6 Installing Active Directory Domain Services..................... 217 7 Migrating to Active Directory Domain Services.................. 247 Part III Administering Windows Server 2008 Active Directory 8 Active Directory Domain Services Security...................... 273 9 Delegating the Administration of Active Directory Domain Services............................................. 325 10 Managing Active Directory Objects............................ 357 11 Introduction to Group Policy.................................. 399 12 Using Group Policy to Manage User Desktops................... 455 13 Using Group Policy to Manage Security......................... 513 Maintaining Windows Server 2008 Active Directory 14 Monitoring and Maintaining Active Directory................... 551 15 Active Directory Disaster Recovery............................. 583 Part IV Identity and Access Management with Active Directory 16 Active Directory Lightweight Directory Services................. 619 17 Active Directory Certificate Services............................ 661 18 Active Directory Rights Management Services................... 703 19 Active Directory Federation Services........................... 745 Part V v
Table of Contents Acknowledgments......................................................... xxi Introduction............................................................. xxiii Overview of Book........................................................ xxiii Part I Windows Server 2008 Active Directory Overview................ xxiii Part II Designing and Implementing Windows Server 2008 Active Directory................................................... xxiv Part III Administering Windows Server 2008 Active Directory........... xxiv Part IV Maintaining Windows Server 2008 Active Directory............ xxv Part V Identity and Access Management with Active Directory......... xxv Document Conventions................................................... xxvi Reader Aids....................................................... xxvi Sidebars.......................................................... xxvi Command-Line Examples.......................................... xxvii Companion CD......................................................... xxvii Management Scripts.............................................. xxvii Using the Scripts.................................................. xxviii Find Additional Content Online........................................... xxviii Resource Kit Support Policy............................................... xxix Part I Windows Server 2008 Active Directory Overview 1 What s New in Active Directory for Windows Server 2008............3 What s New in Active Directory Domain Services............................... 3 Read-Only Domain Controllers (RODC)................................. 3 Active Directory Domain Services Auditing.............................. 6 Fine-Grained Password Policies........................................ 7 Restartable Active Directory Domain Services............................ 9 Database Mounting Tool.............................................. 9 User Interface Improvements......................................... 10 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: www.microsoft.com/learning/booksurvey/ vii
viii Table of Contents Additional Active Directory Service Roles.................................... 11 Active Directory Certificate Services Role.............................. 12 Active Directory Federation Services Role.............................. 13 Active Directory Lightweight Directory Services Role.................... 15 Active Directory Rights Management Services Role..................... 16 Summary................................................................ 18 2 Active Directory Domain Services Components................... 19 AD DS Physical Structure.................................................. 19 The Directory Data Store............................................ 20 Domain Controllers................................................. 22 Global Catalog Servers.............................................. 23 Read-Only Domain Controllers....................................... 25 Operations Masters................................................. 28 Transferring Operations Master Roles................................. 32 The Schema....................................................... 32 AD DS Logical Structure................................................... 41 AD DS Partitions................................................... 42 Domains.......................................................... 46 Forests............................................................ 50 Trusts............................................................. 52 Sites.............................................................. 55 Organizational Units................................................ 57 Summary................................................................ 60 Additional Resources...................................................... 61 Related Tools....................................................... 61 Resources on the CD................................................ 61 Related Help Topics................................................. 62 3 Active Directory Domain Services and Domain Name System....... 63 Integration of DNS and AD DS............................................. 64 Service Location (SRV) Resource Records.............................. 64 SRV Records Registered by AD DS Domain Controllers.................. 66 DNS Locator Service................................................ 69 Automatic Site Coverage............................................ 72 AD DS Integrated Zones................................................... 74 Benefits of Using AD DS Integrated Zones............................. 75 Default Application Partitions for DNS................................ 76 Managing AD DS Integrated Zones................................... 78
Table of Contents ix Integrating DNS Namespaces and AD DS Domains............................ 81 DNS Delegation.................................................... 82 Forwarders and Root Hints........................................... 83 Troubleshooting DNS and AD DS Integration........................... 88 Troubleshooting DNS................................................ 89 Troubleshooting SRV Record Registration.............................. 91 Summary................................................................ 92 Best Practices............................................................. 92 Additional Resources......................................................92 Related Information................................................. 92 Related Tools....................................................... 93 Resources on the CD................................................ 94 Related Help Topics................................................. 94 4 Active Directory Domain Services Replication.................... 95 AD DS Replication Model.................................................. 96 Replication Process........................................................ 97 Update Types...................................................... 97 Replicating Changes................................................ 99 Replicating the SYSVOL Directory.......................................... 105 Intrasite and Intersite Replication.......................................... 106 Intrasite Replication................................................ 107 Intersite Replication................................................ 108 Replication Latency................................................ 109 Urgent Replication................................................. 110 Replication Topology Generation........................................... 111 Knowledge Consistency Checker..................................... 112 Connection Objects................................................ 112 Intrasite Replication Topology....................................... 114 Global Catalog Replication.......................................... 118 Intersite Replication Topology....................................... 119 RODCs and the Replication Topology................................. 120 Configuring Intersite Replication........................................... 122 Creating Additional Sites............................................ 123 Site Links......................................................... 124 Site Link Bridges................................................... 128 Replication Transport Protocols...................................... 129 Configuring Bridgehead Servers..................................... 130
x Table of Contents Troubleshooting Replication.............................................. 133 Process for Troubleshooting AD DS Replication Failures................. 133 Tools for Troubleshooting AD DS Replication.......................... 134 Summary............................................................... 137 Best Practices........................................................... 137 Additional Resources..................................................... 138 Related Information............................................... 138 Related Tools...................................................... 139 Resources on the CD............................................... 140 Related Help Topics................................................ 140 Part II Designing and Implementing Windows Server 2008 Active Directory 5 Designing the Active Directory Domain Services Structure........ 143 Defining Directory Service Requirements................................... 144 Defining Business and Technical Requirements........................ 145 Documenting the Current Environment.............................. 150 Designing the Forest Structure............................................ 156 Forests and AD DS Design.......................................... 158 Single or Multiple Forests........................................... 159 Designing Forests for AD DS Security................................. 161 Forest Design Models.............................................. 163 Defining Forest Ownership......................................... 166 Forest Change Control Policies...................................... 167 Designing the Integration of Multiple Forests............................... 167 Designing Inter-Forest Trusts........................................ 168 Designing Directory Integration Between Forests...................... 172 Designing the Domain Structure........................................... 172 Determining the Number of Domains................................ 174 Designing the Forest Root Domain................................... 176 Designing Domain Hierarchies...................................... 177 Domain Trees and Trusts............................................ 178 Changing the Domain Hierarchy After Deployment.................... 180 Defining Domain Ownership........................................ 180 Designing Domain and Forest Functional Levels............................. 181 Features Enabled at Domain Functional Levels........................ 181 Features Enabled at Forest Functional Levels.......................... 183 Implementing a Domain and Forest Functional Level................... 183
Table of Contents xi Designing the DNS Infrastructure.......................................... 184 Namespace Design................................................. 184 Designing the Organizational Unit Structure................................. 192 Organizational Units and AD DS Design.............................. 192 Designing an OU Structure.......................................... 193 Creating an OU Design............................................. 195 Designing the Site Topology............................................... 197 Sites and AD DS Design............................................. 198 Creating a Site Design.............................................. 198 Creating a Replication Design....................................... 202 Designing Server Locations......................................... 206 Summary............................................................... 214 Best Practices............................................................ 214 Additional Resources..................................................... 215 Related Information................................................ 215 Resources on the CD............................................... 216 6 Installing Active Directory Domain Services..................... 217 Prerequisites for Installing AD DS.......................................... 217 Hard Disk Space Requirements...................................... 218 Network Connectivity.............................................. 219 DNS.............................................................. 220 Administrative Permissions.......................................... 220 Operating System Compatibility..................................... 221 Understanding AD DS Installation Options.................................. 222 Installation Configuration Tasks and the Add Roles Wizard.............. 222 Server Manager................................................... 223 Active Directory Domain Services Installation.......................... 224 Unattended Installation............................................. 225 Using the Active Directory Domain Services Installation Wizard................ 225 Deployment Configuration.......................................... 226 Naming the Domain............................................... 227 Setting the Windows Server 2008 Functional Levels.................... 228 Additional Domain Controller Options................................ 232 File Locations..................................................... 233 Completing the Installation......................................... 234 Verifying Installation of AD DS....................................... 235
xii Table of Contents Performing an Unattended Installation..................................... 236 Installing from Media.............................................. 237 Deploying Read-Only Domain Controllers.................................. 238 Server Core Installation Window Server 2008.......................... 239 Deploying the RODC............................................... 239 Removing AD DS........................................................ 240 Removing Additional Domain Controllers............................. 241 Removing the Last Domain Controller................................ 242 Unattended Removal of AD DS...................................... 243 Forced Removal of a Windows Server 2008 Domain Controller.......... 243 Summary............................................................... 244 Additional Resources..................................................... 244 Related Information............................................... 244 Related Tools...................................................... 246 7 Migrating to Active Directory Domain Services.................. 247 Migration Paths......................................................... 248 The Domain Upgrade Migration Path................................ 249 Domain Restructuring.............................................. 250 Determining Your Migration Path.......................................... 252 Upgrading the Domain................................................... 254 Upgrading from Windows 2000 Server and Windows Server 2003....... 255 Restructuring the Domain................................................ 257 Interforest Migration............................................... 258 Intraforest Migration..................................................... 265 Configuring Interforest Trusts............................................. 266 Summary............................................................... 268 Best Practices........................................................... 269 Additional Resources..................................................... 269 Related Information............................................... 269 Related Tools...................................................... 270 Part III Administering Windows Server 2008 Active Directory 8 Active Directory Domain Services Security...................... 273 AD DS Security Basics.................................................... 274 Security Principals................................................. 274 Access Control Lists................................................ 275
Table of Contents xiii Access Tokens..................................................... 278 Authentication.................................................... 278 Authorization..................................................... 279 Kerberos Security........................................................280 Introduction to Kerberos............................................ 281 Kerberos Authentication............................................ 283 Delegation of Authentication........................................ 291 Configuring Kerberos in Windows Server 2008........................ 293 Integration with Public Key Infrastructure............................. 294 Integration with Smart Cards........................................ 297 Interoperability with Other Kerberos Systems.......................... 298 Troubleshooting Kerberos........................................... 299 NTLM Authentication.................................................... 303 Implementing Security for Domain Controllers............................... 305 Decrease the Domain Controller Attack Surface........................ 306 Configuring the Default Domain Controllers Policy..................... 308 Configuring SYSKEY................................................ 317 Designing Secure Administrative Practices................................... 318 Summary............................................................... 321 Best Practices............................................................ 321 Additional Resources..................................................... 321 Related Information................................................ 321 Related Tools...................................................... 322 Resources on the CD............................................... 323 Related Help Topics................................................ 323 9 Delegating the Administration of Active Directory Domain Services............................................. 325 Active Directory Administration Tasks....................................... 326 Accessing Active Directory Objects......................................... 327 Evaluating Deny and Allow ACEs in a DACL........................... 329 Active Directory Object Permissions........................................ 329 Standard Permissions............................................... 330 Special Permissions................................................ 331 Permissions Inheritance............................................. 336 Effective Permissions............................................... 340 Ownership of Active Directory Objects................................ 343
xiv Table of Contents Delegating Administrative Tasks........................................... 345 Auditing the Use of Administrative Permissions.............................. 348 Configuring the Audit Policy for the Domain Controllers................ 348 Configuring Auditing on Active Directory Objects..................... 351 Tools for Delegated Administration........................................ 352 Customizing the Microsoft Management Console...................... 353 Planning for the Delegation of Administration............................... 354 Summary............................................................... 355 Additional Resources..................................................... 356 Related Information............................................... 356 10 Managing Active Directory Objects............................ 357 Managing Users......................................................... 357 User Objects...................................................... 358 inetorgperson Objects............................................. 363 Contact Objects................................................... 364 Service Accounts.................................................. 365 Managing Groups....................................................... 366 Group Types...................................................... 366 Group Scope...................................................... 367 Default Groups in Active Directory................................... 371 Special Identities.................................................. 373 Creating a Security Group Design.................................... 374 Managing Computers.................................................... 377 Managing Printer Objects................................................ 379 Publishing Printers in Active Directory................................ 380 Printer Location Tracking........................................... 383 Managing Published Shared Folders....................................... 384 Automating Active Directory Object Management........................... 386 Command-Line Tools for Active Directory Management................ 386 Using LDIFDE and CSVDE........................................... 387 Using VBScript to Manage Active Directory Objects.................... 389 Summary............................................................... 395 Best Practices........................................................... 395 Additional Resources..................................................... 396 Related Information............................................... 396 Related Tools...................................................... 397 Resources on the CD............................................... 397
Table of Contents xv 11 Introduction to Group Policy.................................. 399 Group Policy Overview................................................... 400 How Group Policy Works........................................... 401 What s New in Windows Server 2008 Group Policy?.................... 404 Group Policy Components................................................ 405 Overview of the Group Policy Container.............................. 405 Components of the Group Policy Template............................ 407 Replication of the Group Policy Object Components.................... 409 Group Policy Processing.................................................. 409 How Clients Process GPOs.......................................... 410 Initial GPO Processing.............................................. 413 Background GPO Refreshes......................................... 415 How GPO History Relates to Group Policy Refresh...................... 416 Exceptions to Default Background Processing Interval Times............. 418 Implementing Group Policy............................................... 423 GPMC Overview................................................... 424 Using the GPMC to Create and Link GPOs............................. 426 Modifying the Scope of GPO Processing.............................. 427 Delegating the Administration of GPOs............................... 436 Implementing Group Policy Between Domains and Forests.............. 438 Managing Group Policy Objects........................................... 439 Backing Up and Restoring GPOs..................................... 439 Copying Group Policy Objects....................................... 441 Importing Group Policy Object Settings............................... 441 Modeling and Reporting Group Policy Results......................... 442 Scripting Group Policy Management....................................... 447 Planning a Group Policy Implementation.................................... 450 Troubleshooting Group Policy............................................. 451 Summary............................................................... 453 Additional Resources..................................................... 453 Related Information................................................ 453 12 Using Group Policy to Manage User Desktops................... 455 Desktop Management Using Group Policy.................................. 456 Managing User Data and Profile Settings.................................... 459 Managing User Profiles............................................. 459 Using Group Policy to Manage Roaming User Profiles.................. 466 Folder Redirection................................................. 469
xvi Table of Contents Administrative Templates................................................. 477 Understanding Administrative Template Files.......................... 478 Managing Domain-based Template Files............................. 481 Best Practices for Managing ADMX Template Files..................... 482 Using Scripts to Manage the User Environment.............................. 484 Deploying Software Using Group Policy.................................... 485 Windows Installer Technology....................................... 486 Deploying Applications............................................ 486 Using Group Policy to Distribute Non Windows Installer Applications.... 490 Configuring Software Package Properties............................. 491 Using Group Policy to Configure Windows Installer.................... 498 Planning for Group Policy Software Installation........................ 500 Limitations to Using Group Policy to Manage Software................. 501 Overview of Group Policy Preferences...................................... 503 Group Policy Preferences vs. Policy Settings........................... 503 Group Policy Preferences Settings................................... 504 Group Policy Preferences Options................................... 507 Summary............................................................... 510 Additional Resources..................................................... 510 Related Information............................................... 510 On the Companion CD............................................. 511 13 Using Group Policy to Manage Security......................... 513 Configuring Domain Security with Group Policy............................. 513 Overview of the Default Domain Policy............................... 514 Overview of the Default Domain Controllers Policy.................... 519 Recreating the Default GPOs for a Domain............................ 526 Fine-Grained Password Policies...................................... 527 Hardening Server Security Using Group Policy............................... 532 Software Restriction Policies......................................... 535 Configuring Network Security Using Group Policy........................... 537 Configuring Wired Network Security................................. 538 Configuring Wireless Network Security............................... 541 Configuring Windows Firewall and IPsec Security...................... 541 Configuring Security Settings Using Security Templates....................... 543 Deploying Security Templates....................................... 545
Table of Contents xvii Part IV Summary............................................................... 547 Additional Resources..................................................... 548 Related Information................................................ 548 Maintaining Windows Server 2008 Active Directory 14 Monitoring and Maintaining Active Directory................... 551 Monitoring Active Directory............................................... 551 Why Monitor Active Directory....................................... 553 Monitoring Server Reliability and Performance........................ 554 How to Monitor Active Directory.................................... 561 What to Monitor................................................... 571 Monitoring Replication............................................. 572 Active Directory Database Maintenance..................................... 575 Garbage Collection................................................ 575 Online Defragmentation............................................ 576 Offline Defragmentation of the Active Directory Database.............. 577 Managing the Active Directory Database Using Ntdsutil................ 578 Summary............................................................... 580 Additional Resources..................................................... 581 Related Information................................................ 581 15 Active Directory Disaster Recovery............................. 583 Planning for a Disaster.................................................... 584 Active Directory Data Storage............................................. 585 Backing Up Active Directory............................................... 587 The Need for Backups.............................................. 589 Tombstone Lifetime................................................ 589 Backup Frequency................................................. 591 Restoring Active Directory................................................ 591 Restoring Active Directory by Creating a New Domain Controller........ 592 Performing a Nonauthoritative Restore of Active Directory.............. 595 Performing an Authoritative Restore of Active Directory................ 599 Restoring Group Memberships...................................... 601 Reanimating Tombstone Objects..................................... 605 Using the Active Directory Database Mounting Tool.................... 607 Restoring SYSVOL Information....................................... 610 Restoring Operations Masters and Global Catalog Servers............... 610
xviii Table of Contents Part V Summary............................................................... 614 Best Practices........................................................... 614 Additional Resources..................................................... 615 Related Information............................................... 615 Related Tools...................................................... 615 Identity and Access Management with Active Directory 16 Active Directory Lightweight Directory Services................. 619 AD LDS Overview........................................................ 620 AD LDS Features.................................................. 620 AD LDS Deployment Scenarios...................................... 620 AD LDS Architecture and Components..................................... 622 AD LDS Servers.................................................... 622 AD LDS Instances.................................................. 623 Directory Partitions................................................ 624 AD LDS Replication................................................ 629 AD LDS Security................................................... 633 Implementing AD LDS.................................................... 640 Configuring Instances and Application Partitions...................... 640 AD LDS Management Tools......................................... 643 Configuring Replication............................................ 648 Backing Up and Restoring AD LDS................................... 651 Configuring AD DS and AD LDS Synchronization............................ 654 Summary............................................................... 657 Best Practices........................................................... 657 Additional Resources..................................................... 658 Related Tools...................................................... 658 Resources on the CD............................................... 659 Related Help Topics................................................ 659 17 Active Directory Certificate Services............................ 661 Active Directory Certificate Services Overview............................... 661 Public Key Infrastructure Components................................ 662 Certification Authorities............................................ 667 Certificate Services Deployment Scenarios............................ 670 Implementing AD CS..................................................... 670 Installing AD CS Root Certification Authorities......................... 671 Installing AD CS Subordinate Certification Authorities.................. 673
Table of Contents xix Configuring Web Enrollment........................................ 673 Configuring Certificate Revocation................................... 674 Managing Key Archival and Recovery................................. 681 Managing Certificates in AD CS............................................ 685 Configuring Certificate Templates.................................... 685 Configuring Certificate Autoenrollment............................... 690 Managing Certificate Acceptance with Group Policy.................... 692 Configuring Credential Roaming..................................... 693 Designing an AD CS Implementation....................................... 694 Designing a CA Hierarchy........................................... 694 Designing Certificate Templates..................................... 697 Designing Certificate Distribution and Revocation...................... 700 Summary............................................................... 700 Best Practices............................................................ 701 Additional Resources..................................................... 701 Related Information................................................ 701 Related Tools...................................................... 702 18 Active Directory Rights Management Services................... 703 AD RMS Overview....................................................... 704 AD RMS Features.................................................. 704 AD RMS Components.............................................. 706 How AD RMS Works............................................... 709 AD RMS Deployment Scenarios...................................... 713 Implementing AD RMS................................................... 714 Preinstallation Considerations Before Installing AD RMS................ 714 Installing AD RMS Clusters.......................................... 715 Configuring the AD RMS Service Connection Point..................... 720 Working with AD RMS Clients....................................... 721 Administering AD RMS................................................... 726 Managing Trust Policies............................................. 726 Managing Rights Policy Templates................................... 733 Configuring Exclusion Policies....................................... 738 Configuring Security Policies........................................ 739 Viewing Reports................................................... 741 Summary............................................................... 742 Additional Resources..................................................... 742 Related Information................................................ 743
xx Table of Contents 19 Active Directory Federation Services........................... 745 AD FS Overview......................................................... 746 Identity Federation................................................ 746 Web Services..................................................... 747 AD FS Components................................................ 749 AD FS Deployment Designs......................................... 753 Implementing AD FS..................................................... 759 AD FS Deployment Requirements.................................... 760 Implementing AD FS in a Federation Web SSO Design................. 767 Configuring the Account Partner Federation Service................... 774 Configuring Resource Partner AD FS Components..................... 782 Configuring AD FS for Windows NT Token-based Applications.......... 787 Implementing a Web SSO Design.................................... 789 Implementing a Federated Web SSO with Forest Trust Design........... 790 Summary............................................................... 791 Best Practices........................................................... 791 Additional Resources..................................................... 792 Resources on the CD............................................... 792 Related Help Topics................................................ 792 Index.................................................................... 795 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: www.microsoft.com/learning/booksurvey/
Acknowledgments by Stan Reimer (for the team): First of all, I want thank my coauthors for their hard work on this book. When I was first asked to lead this writing project, I looked around for the right people to work with me on this book and I couldn t have picked a better team. Secondly, I want to thank the folks at Microsoft Press. This team includes Martin DelRe, the program manager, who kept poking us until we agreed to do this project, Karen Szall, the content development manager, and Maureen Zimmerman, the content project manager. I am sure that the problems we had keeping to the schedule on this book caused a few headaches for this group, but they were amazingly supportive and encouraging all the way through. Maureen had an amazing knack for reminding us when materials were due without making it feel like nagging. Thanks to Bob Dean, the technical reviewer, for his valuable comments. Production for this book was professionally handled by Custom Editorial Productions Inc., with Linda Allen as the project manager, Cecilia Munzenmaier as the copy editor, and many others who toiled away in the background. As writers, we get to have all of the fun at the beginning of the process; these folks are still working on this long after we are done. A Resource Kit doesn t come together without a lot of interaction with the product groups at Microsoft, as well as other technical experts, such as Directory Services MVPs. All of the chapters in this book have been reviewed by these experts and many of these experts contributed to the Direct from the Source, Direct from the Field, or How It Works sidebars that you will enjoy reading in this book. These reviewers and contributors include: James McColl, Mike Stephens, Moon Majumdar, Judith Herman, Mark Gray, Linda Moore, Greg Robb, Barry Hartman, Christiane Soumahoro, Gautam Anand, Michael Hunter, Alain Lissoir, Yong Liang, David Hastie, Teoman Smith, Brian Lich, Matthew Rimer, David Fisher, Bob Drake, Rob Greene, Andrej Budja, Rob Lane, Gregoire Guetat, Donovan Follette, Pavan Kompelli, Sanjeev Balarajan, Fatih Colgar, Brian Desmond, Jose Luis Auricchio, Darol Timberlake, Peter Li, Elbio Abib, Ashish Sharma, Nick Pierson, Lu Zhao, and Antonio Calomeni. by Conan Kezema: Special thanks to my fellow coauthors for their hard work on this book. I would also like to thank Stan for the many opportunities he has provided over the years; he is a great friend and mentor. xxi
Introduction Welcome to the Windows Server 2008 Active Directory Resource Kit, your complete source for the information you need to design and implement Active Directory in Windows Server 2008. The Windows Server 2008 Active Directory Resource Kit is a comprehensive technical resource for planning, deploying, maintaining, and troubleshooting an Active Directory infrastructure in Windows Server 2008. While the target audience for this Resource Kit is experienced IT professionals who work in medium-sized and large-sized organizations, anyone who wants to learn how to implement and manage Active Directory in Windows Server 2008 will find this Resource Kit invaluable. One of the new features in Windows Server 2008 Active Directory is that the term Active Directory now covers a lot more territory than it did in previous iterations of this directory service. What was previously called Active Directory in Windows 2000 and Windows Server 2003 is now called Active Directory Domain Services (AD DS), and several more directory service components have been included under the Active Directory umbrella. These include Active Directory Lightweight Directory Services (AD LDS), Active Directory Certificate Services (AD CS), Active Directory Rights Management Services (AD RMS), and Active Directory Federation Services (AD FS). Within this Resource Kit you ll find in-depth technical information on how Active Directory works in Windows Server 2008. In addition, you will find detailed task-based guidance for implementing and maintaining the Active Directory infrastructure. You ll also find numerous sidebars contributed by members of the Active Directory product team, other directory experts at Microsoft, and directory services MVPs that provide deep insight into how Active Directory works, best practices for designing and implementing Active Directory, and invaluable troubleshooting tips. Finally, the companion CD includes deployment tools, templates, and many sample scripts that you can use and customize to help you automate various aspects of managing Active Directory in enterprise environments. Overview of Book This book is divided into the following five parts with the following chapters: Part I Windows Server 2008 Active Directory Overview Chapter 1 What s New in Active Directory for Windows Server 2008 This chapter provides an overview of the new features that are available in Windows Server 2008. If you know Windows Server 2003 Active Directory, this is a good place for you to get a quick overview of some of the new material that will be covered in this book. xxiii
xxiv Introduction Chapter 2 Active Directory Domain Services Components This chapter provides an overview of Active Directory Domain Services if you are somewhat new to Active Directory, this is a great chapter to get you started on the terms and concepts that make up AD DS. Chapter 3 Active Directory Domain Services and Domain Name System One of the most critical components that you need in order to make AD DS work efficiently is a properly implemented DNS infrastructure. This chapter provides information on how to do this. Chapter 4 Active Directory Domain Services Replication In order to work with AD DS, you will need to understand replication. This chapter provides all of the details of how AD DS replication works and how to configure it. Part II Designing and Implementing Windows Server 2008 Active Directory Chapter 5 Designing the Active Directory Domain Services Structure Before deploying AD DS, you need to create a design that meets your organization s requirements. This chapter provides the in-depth information that you will need to do that planning. Chapter 6 Installing Active Directory Domain Services Installing AD DS on a Windows Server 2008 computer is pretty easy, but there several variations on how to perform the installation. This chapter describes all of the options and the reasons for choosing each one. Chapter 7 Migrating to Active Directory Domain Services Many organizations are already running a previous version of Active Directory. This chapter provides the details on how to deploy Windows Server 2008 domain controllers in this environment, and how to migrate the Active Directory environment to Windows Server 2008. Part III Administering Windows Server 2008 Active Directory Chapter 8 Active Directory Domain Services Security AD DS provides the core network authentication and authorization services in many organizations. This chapter describes how AD DS security works and the steps you can take to secure your AD DS environment. Chapter 9 Delegating the Administration of Active Directory Domain Services One of the options in implementing AD DS is that you can delegate many administrative tasks to other administrators without granting them domain level permissions. This chapter describes how AD DS permissions work and how to delegate them. Chapter 10 Managing Active Directory Objects Most of your time as an AD DS administrator will be spent managing AD DS objects like users, groups and organizational units. This chapter deals with how to manage these objects individually, but also provides details on how to manage large numbers of these objects by using scripts.
Introduction xxv Chapter 11 Introduction to Group Policy A central component in a Windows Server 2008 network management system is Group Policy. With Group Policy, you can manage many desktop settings as well as configure security. This chapter begins by explaining what Group Policy objects are and shows how to apply and filter Group Policy objects. Chapter 12 Using Group Policy to Manage User Desktops One of the important tasks you can perform with Group Policy is configuring user desktops. In Windows Server 2008 and Windows Vista, there are several thousand Group Policy settings available. This chapter describes not only how to apply the policies, but also which policies are most important to apply. Chapter 13 Using Group Policy to Manage Security Another important task that you can perform with Group Policy is applying security settings. This includes settings that will be applied to all users and computers in the domain as well as settings that can be applied to individual computers or users. This chapter provides the details on how to configure security by using Group Policy. Part IV Maintaining Windows Server 2008 Active Directory Chapter 14 Monitoring and Maintaining Active Directory This chapter prepares you to maintain your Active Directory infrastructure after you deploy it. This chapter covers how to monitor your AD DS environment, and how to maintain the AD DS domain controllers. Chapter 15 Active Directory Disaster Recovery Because of the central role that AD DS has in many corporations, it is critical that you know how to prepare for and recover from disasters within your AD DS environment. This chapter details how you can do this. Part V Identity and Access Management with Active Directory Chapter 16 Active Directory Lightweight Directory Services AD LDS is one of the new server roles that is included under the Active Directory umbrella in Windows Server 2008. AD LDS is designed to be an application directory this chapter describes how you can deploy and manage your AD LDS environment. Chapter 17 Active Directory Certificate Services AD CS can be used to provide the public key infrastructure that provides digital certificates that are so critical for many network security implementations. This chapter describes how to plan and implement AD CS. Chapter 18 Active Directory Rights Management Services AD RMS provides the tools to apply persistent usage policies to information that stays with the information even as it is moved around or outside the organization. This chapter details how to implement AD RMS.